In the trenchesU.S. Army weak on mobile devices security

The U.S. Army has developed a mobile strategy to guide its adoption of mobile devices. A Department of Defense audit found that the Army has been lax in developing security guidelines for the use of the thousands of mobile devices now in service, and that these already-weak and insufficient security guidelines are inconsistently implemented.

A Department of Defense (DoD) audit evaluating how well the U.S. Army addressed security issues related to the adoption by the military of mobile devices, concluded that the army has largely failed.

Fox News reports that the audit covered the use of iOS, Android and Windows mobile devices by Army personnel and in Army facilities where the devices were connected to on-site Wi-Fi networks. In the audit the DoD tracked the use 842 devices, for which DOD paid an estimated $485,794. The audit said that its conclusions applied to the more than 14,000 mobile devices the army has purchased.

The audit discovered many security weaknesses in the Army’s mobile strategy.

The audit notes that Lieutenant General Susan Lawrence, the Army’s chief information officer, , failed to give subordinates the necessary information to protect the devices. In addition, Lawrence did not:

require secure storage for data on mobile devices

insist on keeping mobile devices free of malware

monitor the movements of mobile devices while they were hooked up to computers to make sure that military secrets were kept secret

Even more surprising, the audit found that the Army does not know where all of its mobile devices are. Personal mobile devices given to Army personnel must be authorized before they are used, but according to the audit, around 15,000 unauthorized devices are currently in use.

Another problem is that device disposal regulations are not being enforced. The audit offers the example of a a programmer who failed to report a damaged iPhone, disposed of it himself, and replaced the cell phone with his own funds. The audit says that this is a security risk because someone may across the discarded phone and obtain sensitive information from it.

In addition to these infractions, many phones were not password protected, ran on old operating systems, thus making them vulnerable to viruses and attacks, and did not have any software protection installed.

The Army said it had developed mobile technology guidelines in 2011, but the DoD audit says the measures are sufficient.

The Army and DoD said they were now working together to develop clearer and more effective guidelines, and penalize those who fail to follow these guidelines.